test: merge hooks audit risk cases

2026-03-19 14:00:51 +00:00 · 2026-03-17 08:55:04 +00:00
parent 3aa76a8ce7
commit 4fd17021f2
1 changed files with 44 additions and 50 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -2751,43 +2751,50 @@ description: test skill
    );
  });

-  it("warns when hooks token looks short", async () => {
-    const cfg: OpenClawConfig = {
-      hooks: { enabled: true, token: "short" },
-    };
-
-    const res = await audit(cfg);
-
-    expectFinding(res, "hooks.token_too_short", "warn");
-  });
-
-  it("flags hooks token reuse of the gateway env token as critical", async () => {
-    const prevToken = process.env.OPENCLAW_GATEWAY_TOKEN;
-    process.env.OPENCLAW_GATEWAY_TOKEN = "shared-gateway-token-1234567890";
-    const cfg: OpenClawConfig = {
-      hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
-    };
-
-    try {
-      const res = await audit(cfg);
-      expectFinding(res, "hooks.token_reuse_gateway_token", "critical");
-    } finally {
-      if (prevToken === undefined) {
-        delete process.env.OPENCLAW_GATEWAY_TOKEN;
-      } else {
-        process.env.OPENCLAW_GATEWAY_TOKEN = prevToken;
-      }
-    }
-  });
-
-  it("warns when hooks.defaultSessionKey is unset", async () => {
-    const cfg: OpenClawConfig = {
-      hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
-    };
-
-    const res = await audit(cfg);
-
-    expectFinding(res, "hooks.default_session_key_unset", "warn");
+  it.each([
+    {
+      name: "warns when hooks token looks short",
+      cfg: {
+        hooks: { enabled: true, token: "short" },
+      } satisfies OpenClawConfig,
+      expectedFinding: "hooks.token_too_short",
+      expectedSeverity: "warn" as const,
+    },
+    {
+      name: "flags hooks token reuse of the gateway env token as critical",
+      cfg: {
+        hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
+      } satisfies OpenClawConfig,
+      env: {
+        OPENCLAW_GATEWAY_TOKEN: "shared-gateway-token-1234567890",
+      },
+      expectedFinding: "hooks.token_reuse_gateway_token",
+      expectedSeverity: "critical" as const,
+    },
+    {
+      name: "warns when hooks.defaultSessionKey is unset",
+      cfg: {
+        hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
+      } satisfies OpenClawConfig,
+      expectedFinding: "hooks.default_session_key_unset",
+      expectedSeverity: "warn" as const,
+    },
+    {
+      name: "treats wildcard hooks.allowedAgentIds as unrestricted routing",
+      cfg: {
+        hooks: {
+          enabled: true,
+          token: "shared-gateway-token-1234567890",
+          defaultSessionKey: "hook:ingress",
+          allowedAgentIds: ["*"],
+        },
+      } satisfies OpenClawConfig,
+      expectedFinding: "hooks.allowed_agent_ids_unrestricted",
+      expectedSeverity: "warn" as const,
+    },
+  ])("$name", async (testCase) => {
+    const res = await audit(testCase.cfg, testCase.env ? { env: testCase.env } : undefined);
+    expectFinding(res, testCase.expectedFinding, testCase.expectedSeverity);
  });

  it("scores unrestricted hooks.allowedAgentIds by gateway exposure", async () => {
@@ -2823,19 +2830,6 @@ description: test skill
    );
  });

-  it("treats wildcard hooks.allowedAgentIds as unrestricted routing", async () => {
-    const res = await audit({
-      hooks: {
-        enabled: true,
-        token: "shared-gateway-token-1234567890",
-        defaultSessionKey: "hook:ingress",
-        allowedAgentIds: ["*"],
-      },
-    });
-
-    expectFinding(res, "hooks.allowed_agent_ids_unrestricted", "warn");
-  });
-
  it("scores hooks request sessionKey override by gateway exposure", async () => {
    const baseHooks = {
      enabled: true,